Seven Microsoft patches, five critical

Microsoft has released seven security patches this month, five of them critical.

July's Patch Tuesday includes two that affect the server side. One covers a vulnerability in the Windows Server Service that could allow hackers to remotely execute code on compromised systems.

The other involves the Window Dynamic Host Configuration Protocol Client Service, which could also result in remote code execution.

"DHCP is a communication protocol that allows administrators to centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organisation's network," security vendor Symantec said in an advisory after the updates were announced.

"Therefore, one compromised system could affect other systems connected to it on the same physical network." Users of Windows 2000, Windows XP and Windows Server 2003 may be affected by the flaw.

Meanwhile, there are several vulnerabilties in Microsoft Excel and another that fixes two flaws in Microsoft Office, plus two holes in Microsoft Office Filter that could allow attackers to remote-compromise vulnerable systems.

The most serious flaw is the one affecting the Server Service, said Mike Murray, director of vulnerability research at nCircle. The service basically allows computers to communicate with each other and the flaw allows attackers to potentially send malformed communications over Ports 455 or 139 and lets them take complete control of vulnerable systems, he said.

The DHCP flaw is also serious, but requires the attacker to be on the same network as the vulnerable system, Murray said.

Over the past month, Microsoft has investigated a number of issues related to Excel and Office, following reports that hackers had launched a targeted attack against an unnamed government contractor by taking advantage of a bug in the Excel spreadsheet software.

The seven patches will keep administrators busy, although not so busy as in June. Last month, Microsoft released 12 security updates.